On Thu, Oct 18, 2018 at 9:18 AM Sara Golemon wrote:
> On Thu, Oct 18, 2018 at 9:16 AM Rowan Collins wrote:
> > If so, we could keep BC by having a validate method in each handler, but
> > only call it for hashes with the given prefix, and return an error if it
> > returns false.
> >
> That woul
On Thu, Oct 18, 2018 at 9:16 AM Rowan Collins wrote:
> On Thu, 18 Oct 2018 at 14:55, Sara Golemon wrote:
>> Unfortunately, I just sat down to implement it and noticed that we
>> have explicit test cases which verify that only hashes with a prefix
>> of "$2y" *and* a length of precisely 60 are ide
On Thu, 18 Oct 2018 at 14:55, Sara Golemon wrote:
> Unfortunately, I just sat down to implement it and noticed that we
> have explicit test cases which verify that only hashes with a prefix
> of "$2y" *and* a length of precisely 60 are identified as bcrypt. So
> either we need to loosen that che
>
> Opening https://wiki.php.net/rfc/password_registry for discussion.
>
Should the registry support password hashing mechanisms defined in script
> code? (I don't think so, but feel free to disagree)
>
Not for disagreeing but for the discussion: allowing userland to provide
algos would allow pr
On Tue, Oct 16, 2018 at 11:54 AM Rowan Collins wrote:
> On Tue, 16 Oct 2018 at 16:35, Sara Golemon wrote:
>> On Tue, Oct 16, 2018 at 8:43 AM Rowan Collins
>> wrote:
>> > As I understand it, the purpose of the $foo$ syntax is to uniquely identify
>> > each algorithm, so would it make sense to pa
On Tue, 16 Oct 2018 at 16:35, Sara Golemon wrote:
> On Tue, Oct 16, 2018 at 8:43 AM Rowan Collins
> wrote:
> > As I understand it, the purpose of the $foo$ syntax is to uniquely
> identify
> > each algorithm, so would it make sense to pass the prefix string to the
> > register call, and maintain
On Tue, Oct 16, 2018 at 8:43 AM Rowan Collins wrote:
> As I understand it, the purpose of the $foo$ syntax is to uniquely identify
> each algorithm, so would it make sense to pass the prefix string to the
> register call, and maintain a lookup table internally of prefix => handler?
>
If that's an
On Tue, 16 Oct 2018 at 13:48, Sara Golemon wrote:
> I don't consider the current internal API proposal fixed,
> particularly, I'm not too keen on the algorithm identification. What
> I've presented is a callback for a mechanism to say "Yes, I can verify
> that signature", but this means we must
Opening https://wiki.php.net/rfc/password_registry for discussion.
It's all in the elevator pitch, but the TL;DR is to make
password_hash()/password_verify() into a more easily extensible API
for multiple hashing mechanisms. Critically, this would allow us to
include new library dependent mechani
